Permalink
Browse files

Add test for user removed from project

This test validates that a user that is added a project can see the
cluster and once removed can no longer see the cluster.
  • Loading branch information...
dramich authored and cjellick committed Aug 13, 2018
1 parent 4bbcf61 commit 61b9873afaf1c491cc3a0846c0c9a541e320288c
Showing with 66 additions and 5 deletions.
  1. +1 −0 .gitignore
  2. +12 −4 tests/core/conftest.py
  3. +52 −0 tests/core/test_rbac.py
  4. +1 −1 tests/requirements.txt
View
@@ -18,3 +18,4 @@
__pycache__
/management-state
/rancher
*.pytest_cache
View
@@ -88,7 +88,7 @@ def cluster_and_client(cluster_id, mgmt_client):
@pytest.fixture
def admin_pc(request, admin_cc):
"""Returns a ProjectContect for a newly created project in the local
"""Returns a ProjectContext for a newly created project in the local
cluster for the default global admin user. The project will be deleted
when this fixture is cleaned up."""
admin = admin_cc.management.client
@@ -106,13 +106,15 @@ def admin_pc(request, admin_cc):
@pytest.fixture
def user_mc(admin_mc):
def user_mc(admin_mc, remove_resource):
"""Returns a ManagementContext for a newly created standard user"""
admin = admin_mc.client
username = random_str()
password = random_str()
user = admin.create_user(username=username, password=password)
admin.create_global_role_binding(userId=user.id, globalRoleId='user')
remove_resource(user)
grb = admin.create_global_role_binding(userId=user.id, globalRoleId='user')
remove_resource(grb)
response = requests.post(AUTH_URL, json={
'username': username,
'password': password,
@@ -188,7 +190,13 @@ def remove_resource(admin_mc, request):
client = admin_mc.client
def _cleanup(resource):
request.addfinalizer(lambda: client.delete(resource))
def clean():
try:
client.delete(resource)
except ApiError as e:
if e.error.status != 404:
raise e
request.addfinalizer(clean)
return _cleanup
View
@@ -1,4 +1,5 @@
import kubernetes
from rancher import ApiError
from .common import random_str
from .conftest import wait_until_available,\
cluster_and_client, kubernetes_api_client, wait_for
@@ -112,3 +113,54 @@ def can_create_ns():
})
response = auth.create_self_subject_access_review(access_review)
assert response.status.allowed is True
def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
remove_resource):
"""Test that a user added to a project in a cluster is able to see that
cluster and after being removed from the project they are no longer able
to see the cluster.
"""
# Yes, this is misspelled, it's how the actual label is spelled.
mbo = 'memberhsip-binding-owner'
admin_client = admin_mc.client
prtb = admin_client.create_project_role_template_binding(
userId=user_mc.user.id,
roleTemplateId="project-member",
projectId=admin_pc.project.id,
)
remove_resource(prtb)
# Verify the user can see the cluster
wait_until_available(user_mc.client, admin_cc.cluster)
api_instance = kubernetes.client.RbacAuthorizationV1Api(
admin_mc.k8s_client)
# Find the expected k8s clusterRoleBinding
crbs = api_instance.list_cluster_role_binding(
label_selector=prtb.uuid+"="+mbo)
assert len(crbs.items) == 1
# Delete the projectRoleTemplateBinding, this should cause the user to no
# longer be able to see the cluster
admin_mc.client.delete(prtb)
def crb_callback():
crbs = api_instance.list_cluster_role_binding(
label_selector=prtb.uuid+"="+mbo)
return len(crbs.items) == 0
def fail_handler():
return "failed waiting for cluster role binding to be deleted"
wait_for(crb_callback, fail_handler=fail_handler)
try:
cluster = user_mc.client.by_id_cluster(admin_cc.cluster.id)
assert cluster is None
except ApiError as e:
assert e.error.status == 403
View
@@ -1,5 +1,5 @@
git+https://github.com/rancher/client-python.git@fb39798a240b2af6af011f2b69caeea037fe9a08
websocket-client==0.23.0
websocket-client==0.48.0
PyJWT==1.4.0
flake8==2.5.1

0 comments on commit 61b9873

Please sign in to comment.